[KLUG Members] re: PHP project

bill members@kalamazoolinux.org
Wed, 30 Oct 2002 12:17:50 -0500

Previous message: [KLUG Members] PHP and new scam from Permissioned Media
Next message: [KLUG Members] PHP and new scam from Permissioned Media
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Randall,

Took a look at the code.  The multiple entry boxes don't work in Netscape or Opera
and so would not be able to use the form. I could see it in Mozilla and (ack,
cough) IE.  DHTML is nice, but you should provide a way for DHTML to fail
gracefully that still works for other browsers.

Here's a few other tips:

First off, take these lines out of the top, put them in a text file -above- your
web root, (maybe name the file dbconfig.inc and create a directory called
"configs") and then just include them in the script:

///////replace these lines//////////////
$sqlname = '****';      # mysql login
$sqlpassw = '****'; # mysql password
$sqldb = '****'; # mysql database
/////////////////////

with this:
include ("../configs/dbconfig.inc");

You can probably do your db connection there too.

That way the server will not serve up your pw info when PHP is disabled (like after
a failed upgrade).

Second, note how you populate a drop-down list:

<option value=\"Byron \">Byron R

That value will always come back with a space at the end of the value: "Byron ".
You should add a closing option tag at the end as well (<option
value=\"Byron\">Byron R</option>)

Third, give form fields intelligible names, instead of

<input type=text name=box2 value=$box2 >

do

<input type=text name='Customer' value='$box2'>

Also, you can fix memo content with strip_tags() and nl2br().  And why not use
htmlentities() for translation?

An easier way to create your insert string (to avoid the confusion you have with
quotes) is:

Instead of:

$ins="INSERT INTO rga1( restock_charge, recdate, salesman, ponum, orig_inv_num,
cust_company, cust_contact, cust_address, cust_city, cust_state, reason_code,
reason_memo) VALUES "  .
" ( $restock, \"$rec_date\", \"$box1\", $box8, $box7, \"$box2\", \"$box3\",
\"$box4\", \"$box5\", \"$box6\", \"$reason_specific\", \"$reason_memo\" );";

do

$ins="INSERT INTO rga1
(fieldname, fieldname2, fieldname3)
VALUES
('$fieldval','$fieldval2','$fieldval3')";

The whole thing is done in one swoop, no switching in and out of quotes.  Note how
the field vals are all surrounded by single quotes (simpler than \").  Because the
whole thing is inside double quotes ("") they will still be parsed.  And you don't
need an extra closing semicolon.  Always put it in multiple lines like that so
error messages (as in "mysql error line 3") are more intelligible.

Now, for item rows, imagine this scenario: a person says they want to return five
items, but only really need to return four.  They are presented a list of five rows
to fill in.  They fill in lines 1,2,3, & 5.  Line four is blank.  This will cause
you to have empty records (except for the rga_num) in your db.  So,

Instead of:

for ($iz=0; $iz<count($partnum_);$iz++) {
    //$iz is the array id
    // field value would be $partnum[$iz], even if this is a blank row
}

Use

while (list($key,$val)=each($partnum_)) {
    //$key will be each array id, like 0, 1, 2, 3, etc.  --And it will skip a blank
row--
    //$val will be the field value
}

Lastly, and pretty importantly, you need to filter your input.  The vast majority
of bugs and flaws these days are buffer vulnerabilities.  What if your user tries
to hack by putting invalid info in your fields?  Get in the habit of filtering all
incoming data.

$fieldval=filterinput($_POST["field"]);

Where the function, filterinput, at least includes:

  $input = strip_tags($input);
  $input = AddSlashes($input);
  $input = nl2br($input);

You can add other stuff to check for integers, alpha, length, etc., etc.

That should be plenty to get you on your way.

kind regards,

bill

randall perry wrote:

> I learned of this October 24, 2002 on Virus focus list.
> Marketing tactics for porn hit a new low.
>
> PS
> I finished that mini-PHP project, here is the URL (of a copy of it) that
> you can check out.  Thanks to Bill and Wesley for inspiration on the
> PHPcode that shows multiple entry boxes on demand.  I have done tons of
> forms before, but this is the first with  meaningful DHTML  :).
> http://www.domain-logic.com/rga1.php
>
> there is a link at the top of page for the sourcecode.
> (no, it is not connected to a real database, so you should get an insert error)
>
> Randall Perry

Previous message: [KLUG Members] PHP and new scam from Permissioned Media
Next message: [KLUG Members] PHP and new scam from Permissioned Media
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]